alchemistkay/guestguard
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(rsvp): defend the edit flow against forwarded invitation links

Browse Source 
When a guest submitted via their invitation and then forwarded the link
(or someone copied the URL), the recipient was shown the original guest's
response and a "Change my response" button. Two real problems:
  - Privacy leak: the original guest's reply was visible
  - Integrity: the recipient could silently overwrite the response

The fix is two layered defences plus a recovery path, matching the
industry pattern used by Eventbrite / Partiful / Lu.ma:

Backend
  - GET /access/{token} now compares the device fingerprint of the
    current request to the fingerprint stored on the existing RSVP.
    When they don't match, the rsvp field is omitted from the
    response and a new rsvp_submitted_elsewhere flag is set instead.
    The original guest's reply stays private.
  - PATCH /rsvp/{token} runs the same gate before scoring. A foreign
    device gets 403 with a hint to request an edit link.
  - The fingerprint check is intentionally narrow (user_agent only),
    so a guest jumping between Wi-Fi and mobile data on the same
    phone still sails through.

Recovery path
  - New POST /access/{token}/request-edit-link mints a short-lived
    edit nonce (Redis, 30-min TTL, SHA-256-hashed), then emails it
    to the guest's address on file via the existing EmailSender.
    Rate-limited to 3 per token per hour.
  - GET /access/{token}?edit=<nonce> and PATCH /rsvp with edit_nonce
    in the body both accept the nonce as a bypass for the
    same-device check. Lets the real guest edit from a new phone
    when their original device is gone.
  - New SendRSVPEditLink method on auth.EmailSender, implemented by
    every concrete sender (log stub / Resend / SMTP / SES), with a
    branded HTML+text template that explains the "we sent this
    because we didn't recognise the device" framing.

Frontend
  - rsvp/[token].vue learns the new "responded elsewhere" state.
    Renders "This invitation has already been used" + a
    "Send me an edit link" CTA when the access response says we
    have somewhere to deliver it. Empty-state copy reads "If you
    forwarded the link, please ask the original guest to reach
    out to the host".
  - When the URL carries ?edit=<nonce>, the page passes it on the
    /access call (so the backend unhides the RSVP), opens the edit
    form pre-populated, and forwards the nonce on PATCH.
  - Removed two leftover leaks from earlier — the page no longer
    shows internal "Risk score N · band" to confirmed or blocked
    guests; the blocked-attempt copy now reads "Something about
    this attempt looked off" rather than "suspicious access
    attempt".

Defensive nil-guard
  - The access handler's NATS publish goroutine now skips when
    deps.AccessPublisher is nil (matches the rsvp publisher's
    existing guard); without it the handler nil-panicked in tests
    that don't wire NATS.

Tests
  - TestFingerprintsSimilar (unit) covers the same-UA / different-UA
    / missing-UA matrix.
  - TestForwardedInvitationLinkDefence (integration) walks the full
    flow: submit from UA-A, hide on UA-B, request link, follow nonce
    from UA-B and edit, then verify a UA-C with a forged nonce is
    still refused.
  - Full integration suite passes (183.5s).

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
Kwaku Danso
2026-05-20 15:09:07 +01:00
parent b34715f152
commit dbddf17e3b
16 changed files with 893 additions and 25 deletions
Download Patch File Download Diff File Expand all files Collapse all files
internal/api/rsvp_edit.go
+111
View File
@@ -0,0 +1,111 @@
package api
import (
"context"
"crypto/rand"
"crypto/sha256"
"encoding/hex"
"errors"
"time"
"github.com/google/uuid"
"github.com/redis/go-redis/v9"
)
// RSVP-edit nonce store. When a guest revisits their invitation from a
// device that doesn't match the one they originally responded from, we
// hide their RSVP details from the access response so a forwarded link
// can't leak (or alter) their reply. They can request a one-time edit
// link sent to their email/SMS; that link carries a short-lived nonce
// stored here.
//
// We store sha256(raw) so a database snapshot of Redis doesn't give an
// attacker working nonces; the raw value only ever lives in the email
// link the guest receives.
const (
editNonceTTL = 30 * time.Minute
editNonceKeyPrefix = "gg:rsvp_edit:"
)
type editNonceStore struct {
rdb *redis.Client
}
// newEditNonceStore returns nil when Redis isn't configured — the calling
// handler treats nil as "edit-link flow disabled" and falls back to the
// strict same-device rule.
func newEditNonceStore(rdb *redis.Client) *editNonceStore {
if rdb == nil {
return nil
}
return &editNonceStore{rdb: rdb}
}
// Mint creates a fresh nonce bound to guestID, stores its hash with a
// 30-minute TTL, and returns the raw value for embedding in the email
// link. Hex-encoded so it survives URL transit without further escaping.
func (s *editNonceStore) Mint(ctx context.Context, guestID uuid.UUID) (raw string, err error) {
if s == nil {
return "", errors.New("edit nonce store not configured")
}
buf := make([]byte, 24)
if _, err := rand.Read(buf); err != nil {
return "", err
}
raw = hex.EncodeToString(buf)
sum := sha256.Sum256([]byte(raw))
key := editNonceKeyPrefix + hex.EncodeToString(sum[:])
if err := s.rdb.Set(ctx, key, guestID.String(), editNonceTTL).Err(); err != nil {
return "", err
}
return raw, nil
}
// Verify reports whether raw is a still-valid nonce for guestID.
// Doesn't consume the nonce; expiry happens naturally via TTL so the
// guest can refresh the edit page or briefly close + reopen the link
// during the half-hour window without losing their session.
func (s *editNonceStore) Verify(ctx context.Context, raw string, guestID uuid.UUID) (bool, error) {
if s == nil || raw == "" {
return false, nil
}
sum := sha256.Sum256([]byte(raw))
key := editNonceKeyPrefix + hex.EncodeToString(sum[:])
val, err := s.rdb.Get(ctx, key).Result()
if err != nil {
if errors.Is(err, redis.Nil) {
return false, nil
}
return false, err
}
return val == guestID.String(), nil
}
// fingerprintsSimilar reports whether two device fingerprints look like
// the same browser. The check is intentionally narrow: just `user_agent`,
// because it's the strongest signal of "same browser" and the one least
// affected by normal day-to-day variation (changing networks, switching
// rooms, etc).
//
// Conservative-by-default: when either side lacks a user_agent string we
// return false, which causes the access handler to hide the RSVP. The
// legitimate guest in that edge case can still recover via the
// request-edit-link flow.
//
// Two fingerprints with the same user_agent but different IPs are
// considered the same device. This is on purpose: a guest jumping
// between Wi-Fi and mobile data is the same person on the same phone.
// The Gate's full scoring (run on submit/edit, not on access) catches
// the more sophisticated mismatches.
func fingerprintsSimilar(stored, current map[string]any) bool {
if stored == nil || current == nil {
return false
}
s, _ := stored["user_agent"].(string)
c, _ := current["user_agent"].(string)
if s == "" || c == "" {
return false
}
return s == c
}